我在elastalert中有一些问题,这些问题确实使我陷入困境。我正处于问题之中,确实需要您的帮助。我的问题如下:
我曾经尝试过一个一个地跟随,但没有任何效果。
filter:
- term:
# essage: "*INFO*"
# query: "info"
# host.name: "*IPADDRESS.us-east-2.compute.internal*"
以上都不起作用。
答案 0 :(得分:1)
您的问题有点笼统,因此,我只能给出一些指示,但是您可能希望运行以下内容:
# From rules/example_frequency.yaml
name: Immediate attention is necessary.
type: frequency
index: logstash-ming-ossec-syslog-new-*
num_events: 1
timeframe:
minutes: 10
#- query:
# query_string:
# query: 'res:failed AND op:login AND (NOT acct:root) AND (NOT acct:(unknown))'
#filter:
#- query:
# query_string:
# query: "system.log.severity: SEVERE
#or whatever makes sense with your data
filter:
- query:
query_string:
query: "alarm AND error AND (critical OR severe)"
default_field: syslog_message
alert:
- "email"
email:
- "ming@log4analytics.com"
- "fgh@outlook.com"
smtp_host: "smtp.mailgun.org"
smtp_port: 25
smtp:ssl: true
from_addr: "ming@log4analytics.com"
smtp_auth_file: '/opt/elastalert/smtp_auth_file.yaml'
受到https://github.com/Yelp/elastalert/blob/master/example_rules/example_frequency.yaml
的启发